Azure Active Directory 中的默认用户权限是什么?What are the default user permissions in Azure Active Directory?

在 Azure Active Directory (Azure AD) 中,所有用户都被授予一组默认权限。In Azure Active Directory (Azure AD), all users are granted a set of default permissions. 用户的访问权限由用户的类型、其角色分配及其对单个对象的所有权构成。A user’s access consists of the type of user, their role assignments, and their ownership of individual objects. 本文将会介绍这些默认权限,并将成员和来宾用户的默认权限进行比较。This article describes those default permissions and contains a comparison of the member and guest user defaults. 只能在 Azure AD 的用户设置中更改默认用户权限。The default user permissions can be changed only in user settings in Azure AD.

成员和来宾用户Member and guest users

获得的默认权限集取决于该用户是否为租户的本机成员(成员用户)。The set of default permissions received depends on whether the user is a native member of the tenant (member user).

  • 成员用户可以注册应用程序、管理自己的个人资料照片和手机号码以及更改自己的密码。Member users can register applications, manage their own profile photo and mobile phone number and change their own password. 此外,用户可以读取所有目录信息(少数用户除外)。In addition, users can read all directory information (with a few exceptions).
  • 来宾用户的目录权限受到限制。Guest users have restricted directory permissions. 例如,来宾用户只能浏览自己的个人资料信息,而不能浏览租户中的其他信息。For example, guest users cannot browse information from the tenant beyond their own profile information. 但是,来宾用户可以通过提供用户主体名称或 objectId 来检索有关另一用户的信息。However, a guest user can retrieve information about another user by providing the User Principal Name or objectId. 来宾用户可以读取他们所属组的属性,包括组成员身份,而不考虑“来宾用户权限处于限制状态”设置 。A guest user can read properties of groups they belong to, including group membership, regardless of the Guest users permissions are limited setting. 来宾无法查看有关任何其他租户对象的信息。A guest cannot view information about any other tenant objects.

默认情况下,来宾的默认权限受到限制。Default permissions for guests are restrictive by default. 可将来宾添加到管理员角色,从而向他们授予角色中包含的完全读取和写入权限。Guests can be added to administrator roles, which grant them full read and write permissions contained in the role. 此外还有一条限制,即来宾邀请其他来宾的能力。There is one additional restriction available, the ability for guests to invite other guests. 将“来宾可邀请”设置为“否”会阻止来宾邀请其他来宾。 Setting Guests can invite to No prevents guests from inviting other guests. 若要向来宾用户授予成员用户默认拥有的权限,请将“来宾用户权限处于限制状态”设置为“否”。 To grant guest users the same permissions as member users by default, set Guest users permissions are limited to No. 此设置向来宾用户授予默认的成员用户权限,并允许将来宾添加到管理角色。This setting grants all member user permissions to guest users by default, as well as to allow guests to be added to administrative roles.

比较成员和来宾的默认权限Compare member and guest default permissions

区域Area 成员用户权限Member user permissions 来宾用户权限Guest user permissions
用户和联系人Users and contacts 读取用户和联系人的所有公共属性Read all public properties of users and contacts
邀请来宾Invite guests
更改自己的密码Change own password
管理自己的手机号码Manage own mobile phone number
管理自己的照片Manage own photo
使自己的刷新令牌失效Invalidate own refresh tokens
读取自己的属性Read own properties
读取其他用户和联系人的显示名称、电子邮件、登录名、照片、用户主体名称和用户类型属性Read display name, email, sign in name, photo, user principal name, and user type properties of other users and contacts
更改自己的密码Change own password
Groups 创建安全组Create security groups
创建 Office 365 组Create Office 365 groups
读取组的所有属性Read all properties of groups
读取非隐藏的组成员身份Read non-hidden group memberships
读取加入的组的隐藏 Office 365 组成员身份Read hidden Office 365 group memberships for joined group
管理用户拥有的组的属性、所有权和成员身份Manage properties, ownership, and membership of groups the user owns
将来宾添加到拥有的组Add guests to owned groups
删除拥有的组Delete owned groups
还原拥有的 Office 365 组Restore owned Office 365 groups
读取组的所有属性Read all properties of groups
读取非隐藏的组成员身份Read non-hidden group memberships
读取加入的组的隐藏 Office 365 组成员身份Read hidden Office 365 group memberships for joined groups
管理拥有的组Manage owned groups
将来宾添加到拥有的组(如果允许)Add guests to owned groups (if allowed)
删除拥有的组Delete owned groups
还原拥有的 Office 365 组Restore owned Office 365 groups
读取他们所属组的属性,包括成员身份。Read properties of groups they belong to, including membership.
应用程序Applications 注册(创建)新应用程序Register (create) new application
读取已注册的应用程序和企业应用程序的属性Read properties of registered and enterprise applications
管理拥有的应用程序的应用程序属性、分配和凭据Manage application properties, assignments, and credentials for owned applications
创建或删除用户的应用程序密码Create or delete application password for user
删除拥有的应用程序Delete owned applications
还原拥有的应用程序Restore owned applications
读取已注册的应用程序和企业应用程序的属性Read properties of registered and enterprise applications
管理拥有的应用程序的应用程序属性、分配和凭据Manage application properties, assignments, and credentials for owned applications
删除拥有的应用程序Delete owned applications
还原拥有的应用程序Restore owned applications
设备Devices 读取设备的所有属性Read all properties of devices
管理拥有的设备的所有属性Manage all properties of owned devices
无权限No permissions
删除拥有的设备Delete owned devices
DirectoryDirectory 读取所有公司信息Read all company information
读取所有域Read all domains
读取所有合作伙伴协定Read all partner contracts
读取显示名称和已验证的域Read display name and verified domains
角色和范围Roles and Scopes 读取所有管理角色和成员身份Read all administrative roles and memberships
读取管理单元的所有属性和成员身份Read all properties and membership of administrative units
无权限No permissions
订阅Subscriptions 读取所有订阅Read all subscriptions
启用服务计划成员Enable Service Plan Member
无权限No permissions
策略Policies 读取策略的所有属性Read all properties of policies
管理拥有的策略的所有属性Manage all properties of owned policy
无权限No permissions

限制成员用户的默认权限To restrict the default permissions for member users

可通过以下方式限制成员用户的默认权限。Default permissions for member users can be restricted in the following ways.

权限Permission 设置说明Setting explanation
用户可以注册应用程序Users can register application 将此选项设置为“否”可阻止用户创建应用程序注册。Setting this option to No prevents users from creating application registrations. 然后,通过将特定的个人添加到“应用程序开发人员”角色,可以将该能力重新授予这些个人。The ability can then be granted back to specific individuals by adding them to the Application Developer role.
允许用户使用 LinkedIn 连接工作或学校帐户Allow users to connect work or school account with LinkedIn 将此选项设置为“否”可阻止用户使用其 LinkedIn 帐户连接其工作或学校帐户。Setting this option to No prevents users from connecting their work or school account with their LinkedIn account.
能够创建安全组Ability to create security groups 将此选项设置为“否”可阻止用户创建安全组。Setting this option to No prevents users from creating security groups. 全局管理员和用户管理员仍可创建安全组。Global administrators and User administrators can still create security groups.
能够创建 Office 365 组Ability to create Office 365 groups 将此选项设置为“否”可阻止用户创建 Office 365 组。Setting this option to No prevents users from creating Office 365 groups. 将此选项设置为“某些”可让选定的一组用户创建 Office 365 组。Setting this option to Some allows a select set of users to create Office 365 groups. 全局管理员和用户管理员仍可创建 Office 365 组。Global administrators and User administrators will still be able to create Office 365 groups.
限制访问 Azure AD 管理门户Restrict access to Azure AD administration portal 将此选项设置为“是”可阻止用户仅通过 Azure 门户访问 Azure Active Directory。Setting this option to Yes prevents users from accessing Azure Active Directory through Azure portal only.
能够读取其他用户Ability to read other users 此设置仅可在 PowerShell 中使用。This setting is available in PowerShell only. 将此标记设置为 $false 可阻止所有非管理员用户从目录读取用户信息。Setting this flag to $false prevents all non-admins from reading user information from the directory. 此标记不会阻止读取其他 Microsoft 服务(如 Exchange Online)中的用户信息。This flag does not prevent reading user information in other Microsoft services like Exchange Online. 此设置适用于特殊情况,因此不建议将此标记设置为 $false。This setting is meant for special circumstances, and setting this flag to $false is not recommended.

对象所有权Object ownership

应用程序注册所有者权限Application registration owner permissions

当某个用户注册某个应用程序时,该用户将自动添加为该应用程序的所有者。When a user registers an application, they are automatically added as an owner for the application. 所有者可以管理应用程序的元数据,例如应用请求的名称和权限。As an owner, they can manage the metadata of the application, such as the name and permissions the app requests. 他们还可以管理应用程序的特定于租户的配置,例如用户分配。They can also manage the tenant-specific configuration of the application, such as the user assignments. 所有者还可以添加或删除其他所有者。An owner can also add or remove other owners. 与全局管理员不同,所有者只能管理他们拥有的应用程序。Unlike Global Administrators, owners can only manage applications they own.

企业应用程序所有者权限Enterprise application owner permissions

当某个用户添加新的企业应用程序时,系统会将该用户自动添加为所有者。When a user adds a new enterprise application, they are automatically added as an owner. 作为所有者,用户可以管理应用程序的特定于租户的配置,例如用户分配。As an owner, they can manage the tenant-specific configuration of the application, such as the user assignments. 所有者还可以添加或删除其他所有者。An owner can also add or remove other owners. 与全局管理员不同,所有者只能管理他们拥有的应用程序。Unlike Global Administrators, owners can manage only the applications they own.

组所有者权限Group owner permissions

当某个用户创建某个组时,该用户将自动添加为该组的所有者。When a user creates a group, they are automatically added as an owner for that group. 所有者可以管理组的属性(例如名称),以及管理组成员身份。As an owner, they can manage properties of the group such as the name, as well as manage group membership. 所有者还可以添加或删除其他所有者。An owner can also add or remove other owners. 与全局管理员和用户管理员不同,所有者只能管理他们拥有的组。Unlike Global administrators and User administrators, owners can only manage groups they own. 若要分配组所有者,请参阅管理组的所有者To assign a group owner, see Managing owners for a group.

所有权权限Ownership Permissions

下表描述成员用户在 Azure Active Directory 中具有的针对所拥有对象的特定权限。The following tables describe the specific permissions in Azure Active Directory member users have over owned objects. 用户仅在所拥有的对象上具有这些权限。The user only has these permissions on objects they own.

拥有的应用程序注册Owned application registrations

用户可以在拥有的应用程序注册上执行以下操作。Users can perform the following actions on owned application registrations.

操作Actions 说明Description
microsoft.directory/applications/audience/updatemicrosoft.directory/applications/audience/update 更新 Azure Active Directory 中的 applications.audience 属性。Update applications.audience property in Azure Active Directory.
microsoft.directory/applications/authentication/updatemicrosoft.directory/applications/authentication/update 更新 Azure Active Directory 中的 applications.authentication 属性。Update applications.authentication property in Azure Active Directory.
microsoft.directory/applications/basic/updatemicrosoft.directory/applications/basic/update 更新 Azure Active Directory 中应用程序的基本属性。Update basic properties on applications in Azure Active Directory.
microsoft.directory/applications/credentials/updatemicrosoft.directory/applications/credentials/update 更新 Azure Active Directory 中的 applications.credentials 属性。Update applications.credentials property in Azure Active Directory.
microsoft.directory/applications/deletemicrosoft.directory/applications/delete 删除 Azure Active Directory 中的应用程序。Delete applications in Azure Active Directory.
microsoft.directory/applications/owners/updatemicrosoft.directory/applications/owners/update 更新 Azure Active Directory 中的 applications.owners 属性。Update applications.owners property in Azure Active Directory.
microsoft.directory/applications/permissions/updatemicrosoft.directory/applications/permissions/update 更新 Azure Active Directory 中的 applications.permissions 属性。Update applications.permissions property in Azure Active Directory.
microsoft.directory/applications/policies/updatemicrosoft.directory/applications/policies/update 更新 Azure Active Directory 中的 applications.policies 属性。Update applications.policies property in Azure Active Directory.
microsoft.directory/applications/restoremicrosoft.directory/applications/restore 还原 Azure Active Directory 中的应用程序。Restore applications in Azure Active Directory.

拥有的企业应用程序Owned enterprise applications

用户可以在拥有的企业应用程序上执行以下操作。Users can perform the following actions on owned enterprise applications. 企业应用程序包含服务主体、一个或多个应用程序策略,有时还包含应用程序对象,该对象与服务主体位于同一租户中。An enterprise application is made up of service principal, one or more application policies, and sometimes an application object in the same tenant as the service principal.

操作Actions 说明Description
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 读取 Azure Active Directory 中 auditLogs 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft.directory/policies/basic/updatemicrosoft.directory/policies/basic/update 更新 Azure Active Directory 中策略的基本属性。Update basic properties on policies in Azure Active Directory.
microsoft.directory/policies/deletemicrosoft.directory/policies/delete 删除 Azure Active Directory 中的策略。Delete policies in Azure Active Directory.
microsoft.directory/policies/owners/updatemicrosoft.directory/policies/owners/update 更新 Azure Active Directory 中的 policies.owners 属性。Update policies.owners property in Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.directory/servicePrincipals/appRoleAssignedTo/update 更新 Azure Active Directory 中的 servicePrincipals.appRoleAssignedTo 属性。Update servicePrincipals.appRoleAssignedTo property in Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignments/updatemicrosoft.directory/servicePrincipals/appRoleAssignments/update 更新 Azure Active Directory 中的 users.appRoleAssignments 属性。Update users.appRoleAssignments property in Azure Active Directory.
microsoft.directory/servicePrincipals/audience/updatemicrosoft.directory/servicePrincipals/audience/update 更新 Azure Active Directory 中的 servicePrincipals.audience 属性。Update servicePrincipals.audience property in Azure Active Directory.
microsoft.directory/servicePrincipals/authentication/updatemicrosoft.directory/servicePrincipals/authentication/update 更新 Azure Active Directory 中的 servicePrincipals.authentication 属性。Update servicePrincipals.authentication property in Azure Active Directory.
microsoft.directory/servicePrincipals/basic/updatemicrosoft.directory/servicePrincipals/basic/update 更新 Azure Active Directory 中 servicePrincipals 的基本属性。Update basic properties on servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/credentials/updatemicrosoft.directory/servicePrincipals/credentials/update 更新 Azure Active Directory 中的 servicePrincipals.credentials 属性。Update servicePrincipals.credentials property in Azure Active Directory.
microsoft.directory/servicePrincipals/deletemicrosoft.directory/servicePrincipals/delete 删除 Azure Active Directory 中的 servicePrincipals。Delete servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/owners/updatemicrosoft.directory/servicePrincipals/owners/update 更新 Azure Active Directory 中的 servicePrincipals.owners 属性。Update servicePrincipals.owners property in Azure Active Directory.
microsoft.directory/servicePrincipals/permissions/updatemicrosoft.directory/servicePrincipals/permissions/update 更新 Azure Active Directory 中的 servicePrincipals.permissions 属性。Update servicePrincipals.permissions property in Azure Active Directory.
microsoft.directory/servicePrincipals/policies/updatemicrosoft.directory/servicePrincipals/policies/update 更新 Azure Active Directory 中的 servicePrincipals.policies 属性。Update servicePrincipals.policies property in Azure Active Directory.
microsoft.directory/signInReports/allProperties/readmicrosoft.directory/signInReports/allProperties/read 读取 Azure Active Directory 中 signInReports 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.

拥有的设备Owned devices

用户可以在拥有的设备上执行以下操作。Users can perform the following actions on owned devices.

操作Actions 说明Description
microsoft.directory/devices/bitLockerRecoveryKeys/readmicrosoft.directory/devices/bitLockerRecoveryKeys/read 读取 Azure Active Directory 中的 devices.bitLockerRecoveryKeys 属性。Read devices.bitLockerRecoveryKeys property in Azure Active Directory.
microsoft.directory/devices/disablemicrosoft.directory/devices/disable 禁用 Azure Active Directory 中的设备。Disable devices in Azure Active Directory.

拥有的组Owned groups

用户可以在拥有的组上执行以下操作。Users can perform the following actions on owned groups.

操作Actions 说明Description
microsoft.directory/groups/appRoleAssignments/updatemicrosoft.directory/groups/appRoleAssignments/update 更新 Azure Active Directory 中的 groups.appRoleAssignments 属性。Update groups.appRoleAssignments property in Azure Active Directory.
microsoft.directory/groups/basic/updatemicrosoft.directory/groups/basic/update 更新 Azure Active Directory 中组的基本属性。Update basic properties on groups in Azure Active Directory.
microsoft.directory/groups/deletemicrosoft.directory/groups/delete 删除 Azure Active Directory 中的组。Delete groups in Azure Active Directory.
microsoft.directory/groups/dynamicMembershipRule/updatemicrosoft.directory/groups/dynamicMembershipRule/update 更新 Azure Active Directory 中的 groups.dynamicMembershipRule 属性。Update groups.dynamicMembershipRule property in Azure Active Directory.
microsoft.directory/groups/members/updatemicrosoft.directory/groups/members/update 更新 Azure Active Directory 中的 groups.members 属性。Update groups.members property in Azure Active Directory.
microsoft.directory/groups/owners/updatemicrosoft.directory/groups/owners/update 更新 Azure Active Directory 中的 groups.owners 属性。Update groups.owners property in Azure Active Directory.
microsoft.directory/groups/restoremicrosoft.directory/groups/restore 还原 Azure Active Directory 中的组。Restore groups in Azure Active Directory.
microsoft.directory/groups/settings/updatemicrosoft.directory/groups/settings/update 更新 Azure Active Directory 中的 groups.settings 属性。Update groups.settings property in Azure Active Directory.

后续步骤Next steps